Markus Schumacher. Darmstadt University of Technology Department of Computer Science Wilhelminenstr Darmstadt, Germany
|
|
- Gwen Anderson
- 8 years ago
- Views:
Transcription
1 FIREWALL PATTERNS Markus Schumacher Darmstadt University of Technology Department of Computer Science Wilhelminenstr Darmstadt, Germany markus@securitypatterns.org Abstract In this paper we provide three firewall patterns. The firewall pattern describes how access to internal networks can be restricted in general. It shows the basic problems and indicates a general solution. The other two patterns are more specific variants which are usually used in order to implement access control at the network border. This paper is also an experiment of understanding what it means to specialize security patterns and how we can cope with this presenting them in a useful and joyful way to the reader. The patterns themselves are part of an initiative to integrate known security-related patterns into an overall security pattern system.
2 Introduction In this paper we present selected network security patterns. Some of them have initially been presented in a security book and at PLoP 2001 [8, 7]. Before we step into the patterns, we first give an overview of the patterns contained in this paper. We introduce an overall scenario which illustrates the common context for all patterns. Then we discuss the pattern template we used. The remainder of the paper contains three firewall security patterns. Overview In this paper we present three patterns which describe how networks can be protected with basic firewall techniques (see for example [2]). In particular, we present a generic FIREWALL pattern as well as the two more specific patterns PACKET FILTER and PROXY. More formally, we understand this relation between patterns as follows 1 : Let P 1 and P 2 be patterns. Then we say that P 1 specializes P 2 if the context and/or the problem (as well as the corresponding forces) of P 1 is more specific than the contextand/or problem of P 2. This notion would mean, that we take a pattern and either add more specific facts or make certain statements more specific. By nature, this will also make the solution more specific. Presenting patterns in this way requires, however, a trade-off between readability and correctness (e.g. should we really repeat all more general elements and add the specific ones?). As such, this paper is also the author s experiment of understanding what it means to specialize patterns and how we can cope with this presenting useful and joyful to the reader. Basically a firewall controls the traffic between two or more networks in different administrative domains. For the sake of simplicity, we just refer to an internal (the protected network) and an external network (where the bad guys are). Figure 1 illustrates a scenario which represents the context of the patterns in this paper. Thereis an internal network with a set of hosts connected, e.g. the system I 1. The internal network is connected with a routing device to one or more external networks. Basically, the external network cannot be trusted. Thus it is important to distinguish regular packets from malicious connections originated from an attacker. Otherwise, the security of the internal systems cannot be guaranteed. 1 A even more formal definition is given by the author [6].
3 Attacker I1 Router Internal Network External Network Figure 1: Transition between internal and external network. Pattern Template In contrast to the original work [8, 7], we present the patterns here in a more familiar form which is similar to Alexander s original template: Each pattern is divided into three parts which are separated by three diamond symbols ( ). Hereby, name and context create the introductory part, problem statement, forces and solution build the central part and the references to other patterns present the closing part. Each pattern begins with a name (i.e.the heading of the section). The next few sentences are in a you form. They describe a context in which you may or may not find yourself. If you don t find yourself in such a context, the pattern probably isn t relevant for you. Then we provide a brief description of the problem in bold face (highlighting core elements of the pattern instead of giving them separate headings increases the readability). Afterwards, a number of forces (threats, attacks, etc.) that must be considered are discussed (now with a regular font face). The next section begins with a bold face Therefore and contains the core of the solution. This is followed by additional information about the pattern, how the forces are resolved (i.e. the consequences) and how to use or implement the pattern. Finally, we include references to related patterns. Pattern Roadmap In this paper we present only a subset of security patterns at the network layer. In particular, our focus is on firewall solutions. More patterns, e.g. dealing with INTRUSION DETECTION, VIRTUAL PRIVATE NETWORK, and further types of firewalls will complement the pattern landscape as illustrated in Figure 2.
4 Firewall Packet Filter Proxy Network Address Translation ++ Cost Cost + Performance Performance ++ Usability Usability Security level = low Security level = high Stateful Filter Security level = medium Figure 2: Firewall Pattern Landscape. The diagram is a slight variant of a UML class diagram 2. Each box indicates a pattern where a solid-line border indicates a pattern discussed in this document and a dashed-line box indicates a pattern that is identified but left for future work. For the patterns discussed in the following we provided the dominant forces of the pattern inside the box. A + or ++ indicates that the pattern resolves the corresponding force in a good or optimal way. In turn, a - or - - indicates a rather bad resolution of the force 3. For example, the pattern PACKET FILTER resolves the forces cost, performance, and usability in an optimal way. This is bought by a rather low level of security (compared to a PROXY). On the other hand, the pattern PROXY provides a high level of security that leads to losses of performance and usability. Note that a PACKET FILTER is usually cheaper than a PROXY, i.e. you have to pay the price for the higher security level. The arrows between the boxes indicate the specialize relation between the patterns 2 The analogy to UML breaks down sooner or later. For example, the pattern name echoes the solution and can often be about dynamic actions, while a class name tends to be a thing, not an action. 3 We haven t provided such quality trends of a pattern for the FIREWALL pattern due to its more generic nature.
5 as described before. For example, the PACKET FILTER specializes the generic FIREWALL pattern. That way a hierarchy of the patterns is established. The more generic patterns are intended for decision makers and the more concrete patterns should guide those who are responsible for the implementation of a security concept and have to meet certain boundary conditions (e.g. price and impact on usability).
6 Firewall You operate a network that is connected to an external, untrusted network by means of a regular routing device. You can control the internal network but you have no influence over the external network. As such, both networks represent different administrative domains. How can you prevent that attackers can probe, access and misuse any system inside of the internal network? It is unlikely that the access control facilities of all internal systems are activated and configured appropriately. In particular, out-of-the box installations offer standard services which can be misused by an attacker. Even if there are access restrictions it is unlikely that they are consistent, especially when more than one administrator is involved and there are no global guidelines. Even worse, we can assume that most internal systems are not hardened: experience shows that patches aren t applied in time and that many, often unneeded services are running. This makes internal system also vulnerable to attacks at a rather low level. Another basic threat is that the overall network topology is visible, i.e. an attacker can analyze possible targets without further burden. Furthermore, it might happen that attacks can t even be detected as one cannot ensure that the audit facilities of the internal systems are activated and configured appropriately. Therefore, you should restrict the ingoing and outgoing traffic at the border between the internal and the external network. The regular router has to be replaced with a firewall system (or extended accordingly) that implements the following functions: analysis, access control, filtering and modification. The firewall must be able to analyze the messages which are sent through it. The analysis itself can be conducted in several ways which differ in parameters such as technical implementation, quality, or granularity. For example, it is possible to analyze the semantics of specific protocol headers, the different states of a protocol, or the relationship between several parallel connections. Based on the information gathered before, a firewall will be able to make an access control decision. First, the message has to be identified somehow, e.g. by the
7 identity of the user, the process Id of the corresponding application or network addresses. With the given information the firewall can now decide whether a particular message is dangerous or not (hereby, a set of rules is usually evaluated). Possible access control actions are to grant, reject, discard, or modify messages. A real world example for a firewall is the guard of a prison in a more oppressive country. The guard can examine all letters for and from the prisoners. He is basically in a position to decide whether a letter is passed or not. The consequences of applying a firewall between two networks can be summarized as follows: + Accountability. As a firewall analyzes all messages which pass through it, rather fine-grained log information can be generated easily. Thus it is possible to detect possible attacks and to hold regular users responsible for their actions. + Availability. A firewall also helps to increase the availability of internal systems as the attack surface is made smaller significantly. + Confidentiality/Integrity. As there is an additional line of defense, the confidentiality and integrity of information hosted at the internal systems is increased, too. - Manageability. A firewall is an additional, complex component of the network infrastructure. Thus, the efforts for managing the network are higher. - Usability. Integrating a firewall often requires to change applications or the user s behavior. In either way, a firewall has an impact on the usability. - Performance. The analysis and access control decision process consumes additional processing time. Thus, every firewall decreases the performance. Especially in high-bandwidth environments, this is an important issue. - Cost. There will be additional costs for setting up and maintaining a firewall. More special variants of this pattern are PACKET FILTER and PROXY. The former is rather cheap and fast but provides security only at the Internet and Transport level. The latter is more expensive, more complex and slower but provides a high security level that covers all layers of the network stack.
8 In order to implement the firewall pattern, one of several available ACCESS CON- TROL patterns have to be selected (e.g. [3]). It is also necessary to DEFINE IDEN- TIFICATION AND AUTHENTICATION DRIVERS [1] and to SELECT AN IDENTI- FICATION AND AUTHENTICATION STRATEGY [4]. Furthermore, a firewall is some sort of a CHOKE POINT in a more general sense [9]. It should implement the security principle DEFENSE IN DEPTH and should FAIL SECURELY [5].
9 Packet Filter You decided to restrict the ingoing and outgoing traffic at the border between the internal and the external network with a FIREWALL. How can you implement a firewall that is fast and doesn t decrease the usability too much? An important issue is the performance between internal and external network. Any changes at the network border might have an impact on the available bandwidth. Users don t want to bother to change their behavior or their applications in order to meet more or less abstract security needs. Usability is often the primary requirement that has to be satisfied. Especially smaller companies cannot afford expensive security solutions. This includes both purchase and maintenance. Therefore, you should restrict network traffic at rather low levels of the protocol stack. According to a set of filter rules such a packet filter firewall can determine whether a particular packet is acceptable. Any packet that doesn t satisfy the security guidelines (implemented with the filter rules) will be rejected or discarded. In particular, the packet filter analyzes the headers of the Internet and Transport layers in order to determine addresses, port numbers and flags of the given packet. That way, the firewall can, for instance, identify valid internal destination addresses and application port numbers. It is also basically possible to track the state of a particular connection. Possible access control actions are to grant, reject or discard packets. Considering our example of a prison guard we can draw the analogy that the guard checks whether the prisoners are allowed to receive or send letters based on the postal address. Beside the consequences of applying a generic firewall, the specific consequences of applying a packet filter firewall between two networks can be summarized as follows: + Accountability. A packet filter can log the details of processed packets as well as the access control decisions. For example, it can keep track of all packets which are rejected.
10 - Manageability. The filter rules can become complex very easily. Administrators have care about the order of the rule processing and ensure that the firewall performs its task as intended. + Usability. As packet filters operate at lower levels of the protocol stack, they are more or less transparent for users and applications. + Performance. Processing every packet decreases the performance. However, a packet filter is a rather fast firewall as it works at lower levels and can be implemented within the kernel. Nevertheless, Denial-of-Service attacks are still possible. + Cost. Many routers are shipped with packet filter functionality, i.e. the additional costs are minimal. This pattern specializes the FIREWALL pattern and is a variant to the PROXY pattern. The relations of the FIREWALL pattern are inherited.
11 Proxy You decided to restrict the ingoing and outgoing traffic at the border between the internal and the external network with a FIREWALL. How can you achieve the highest level of protection? It is important to have a fine-grained view on the packets which travel from the inside to the outside network and vice versa. Otherwise you might miss important information for making an appropriate access control decision. In the worst case, you ll take the wrong access control decision. When you want to reach such a security level, you are often willing to sacrifice performance and/or usability. Therefore, you should virtually separate the networks and restrict network traffic at the application level of the protocol stack. Such a proxy firewall is able to analyze application related information as well as any data that can be derived from the lower layers of the protocol stack. The packet moves up the protocol stack and is only passed to the other side of the network when the rules allow it, i.e. there is no direct connection between client and server. In addition to network addresses and application ports, specific elements of an application protocol can be taken into account when making an access control decision. For example, the user s account name can be determined. As proxies split up network connections, additional security services can be integrated, e.g. authentication servers. A proxy can also modify certain parts of a message, e.g. replace particular (dangerous) commands. However, this only works in a straightforward way if the protocols are not encrypted. Basically, a proxy requires to rebuild protocols for each application. As this can become complex, there are only proxies for the most popular applications available. As proxies re-implement protocols, they also protect against implementation faults in the protocol stacks of the internal systems. Our real-world prison guard would check the address of the letter. Furthermore, he would open the letter and search for offensive content (e.g. a prisoner tries to arrange further crimes from the inside). If necessary, the guard censors the letter or holds it back.
12 Beside the consequences of applying a generic firewall, the specific consequences of applying a proxy firewall between two networks can be summarized as follows: + Accountability. Proxies can log virtually any information contained in a packet at a fine-grained level. - Manageability. In order to maintain a proxy firewall, administrators have to be familiar with the corresponding application protocols. The effort increases for each proxy that is used. - Usability. Often it is required to change the user s behavior (login to a proxy first and then connect to internal/external systems) or to modify applications (configure which proxy should be used). Problems can occur, whenever several proxies are cascaded. - Performance. As proxies analyze packets in a very detailed way, they are comparably slow firewall solutions. However, a proxy can also improve performance assuming it has caching capabilites. - Cost. Proxies are more expensive than packet filters. It could happen that proxies have to be customized which increases the cost further. This pattern specializes the FIREWALL pattern and is a variant to the PACKET FILTER pattern. The relations of the FIREWALL pattern are inherited.
13 Acknowledgments I like to thank my shepherd Rick Dewar for his valuable comments and helpful suggestions for improvement. I also want to thank Utz Roedig for discussing early drafts of the patterns included in this document with me. I also want to thank all people of Workshop C and all the good girls and bad boys of EuroPLoP. References [1] Susan Chapin and Duane Hybertson. Define I&A Design Drivers. The MITRE Corporation, [2] D. Brent Chapman and Elizabeth D. Zwicky. Building Internet Firewalls. O Reilly & Associates, Inc., [3] Eduardo B. Fernandez and Rouyi Pan. A Pattern Language for Security Models. Technical report, Florida Atlantic University, PLoP. [4] Jody Heaney, Susan Chapin, Ann Reedy, Duane Hybertson, and Jr. Malcolm Kirwan. Select I&A Strategy. The MITRE Corporation, [5] Sasha Romanosky. Enterprise Security Patterns. In Proc. of EuroPLoP, [6] Markus Schumacher. Security Engineering with Patterns. PhD thesis, Darmstadt University of Technology, [7] Markus Schumacher and Utz Roedig. Security Engineering with Patterns. In Proc. of the 8th Conference on Pattern Languages of Programming (PLoP), [8] Markus Schumacher, Utz Rödig, and Marie-Luise Moschgath. Hacker Contest - Sicherheitsprobleme, Lösungen, Beispiele. Xpert.press. Springer Verlag, ISBN X. [9] Joseph Yoder and Jeffrey Barcalow. Architectural Patterns for Enabling Application Security. PLoP, 1997.
Module 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationA Pattern Language for Firewalls
A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Larrondo-Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg Dept. of Computer Science and Eng. Florida Atlantic University Boca Raton,
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationCSCI 7000-001 Firewalls and Packet Filtering
CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On
More informationSecurity threats and network. Software firewall. Hardware firewall. Firewalls
Security threats and network As we have already discussed, many serious security threats come from the networks; Firewalls The firewalls implement hardware or software solutions based on the control of
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion
More informationECE 578 Term Paper Network Security through IP packet Filtering
ECE 578 Term Paper Network Security through IP packet Filtering Cheedu Venugopal Reddy Dept of Electrical Eng and Comp science Oregon State University Bin Cao Dept of electrical Eng and Comp science Oregon
More informationSE 4C03 Winter 2005 An Introduction of Firewall Architectures and Functions. Kevin Law 26 th March, 2005-03-29
SE 4C03 Winter 2005 An Introduction of Firewall Architectures and Functions Kevin Law 26 th March, 2005-03-29 1). Introduction A person who has used the Internet before would hear about the term firewall.
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationSFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004
SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality
More informationChapter 15. Firewalls, IDS and IPS
Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet
More informationBasics of Internet Security
Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationInternet infrastructure. Prof. dr. ir. André Mariën
Internet infrastructure Prof. dr. ir. André Mariën (c) A. Mariën 31/01/2006 Topic Firewalls (c) A. Mariën 31/01/2006 Firewalls Only a short introduction See for instance: Building Internet Firewalls, second
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationHow To Understand A Firewall
Module II. Internet Security Chapter 6 Firewall Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 6.1 Introduction to Firewall What Is a Firewall Types of Firewall
More information83-10-41 Types of Firewalls E. Eugene Schultz Payoff
83-10-41 Types of Firewalls E. Eugene Schultz Payoff Firewalls are an excellent security mechanism to protect networks from intruders, and they can establish a relatively secure barrier between a system
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationProxy Server, Network Address Translator, Firewall. Proxy Server
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
More informationFirewalls and VPNs. Principles of Information Security, 5th Edition 1
Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches
More informationIMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT
IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,
More informationFirewall Design Principles Firewall Characteristics Types of Firewalls
Firewall Design Principles Firewall Characteristics Types of Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for these slides. Fall 2008
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationWhat is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?
What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationInternet Security Firewalls
Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationFirewalls (IPTABLES)
Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context
More informationSecure networks are crucial for IT systems and their
ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential
More informationOn Building Secure SCADA Systems using Security Patterns. Outline
On Building Secure SCADA Systems using Security Patterns E.B.Fernandez, J.Wu, M.M. Larrondo-Petrie, and Y. Shao Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton, FL, USA
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationFirewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues
CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More informationG/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy
For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6 Table of Contents Scope...3 G/On Server Platform
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationHow To Protect Your Firewall From Attack From A Malicious Computer Or Network Device
Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationGuideline on Firewall
CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June
More informationInternet Security Firewalls
Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA
More informationFIREWALL ARCHITECTURES
FIREWALL ARCHITECTURES The configuration that works best for a particular organization depends on three factors: The objectives of the network, the organization s ability to develop and implement the architectures,
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationI. INTRODUCTION II. PROBLEM DOMAIN. A. Multimedia Applications. A. IP-Telephony
Evaluating and Improving Firewalls for IP-Telephony Environments Utz Roedig 1, Ralf Ackermann 1, Ralf Steinmetz 1,2 1 - Darmstadt University of Technology - Industrial Process and System Communications
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More information8. Firewall Design & Implementation
DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or
More informationDeveloping Network Security Strategies
NETE-4635 Computer Network Analysis and Design Developing Network Security Strategies NETE4635 - Computer Network Analysis and Design Slide 1 Network Security Design The 12 Step Program 1. Identify network
More informationA Study of Network Security Systems
A Study of Network Security Systems Ramy K. Khalil, Fayez W. Zaki, Mohamed M. Ashour, Mohamed A. Mohamed Department of Communication and Electronics Mansoura University El Gomhorya Street, Mansora,Dakahlya
More informationFig. 4.2.1: Packet Filtering
4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the
More informationFirewall Architecture
NEXTEP Broadband White Paper Firewall Architecture Understanding the purpose of a firewall when connecting to ADSL network services. A Nextep Broadband White Paper June 2001 Firewall Architecture WHAT
More informationWhat would you like to protect?
Network Security What would you like to protect? Your data The information stored in your computer Your resources The computers themselves Your reputation You risk to be blamed for intrusions or cyber
More informationINTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM
INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationHow To Protect Your Network From Attack
Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de
More informationChapter 11 Cloud Application Development
Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How
More information12. Firewalls Content
Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall
More informationRSVP as Firewall Signalling Protocol
RSVP as Firewall Signalling Protocol Utz Roedig 1, Manuel Görtz 1, Martin Karsten 1, Ralf Steinmetz 1,2 1 Industrial Process and System Communications, Darmstadt University of Technology, Germany 1 German
More informationSpecial Issues for Penetration testing of Firewall
보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4 호, 2008년 8월 Special Issues for Penetration testing of Firewall Hoon Ko 1) Abstract A firewall is a device or software that controls the traffic of
More informationFirewall Configuration. Firewall Configuration. Solution 9-314 1. Firewall Principles
Configuration Configuration Principles Characteristics Types of s Deployments Principles connectivity is a common component of today s s networks Benefits: Access to wide variety of resources Exposure
More informationA Pattern for Whitelisting Firewalls (WLF)
A Pattern for Whitelisting Firewalls (WLF) ISAURA N BONILLA VILLARREAL, Florida Atlantic University EDUARDO B. FERNANDEZ, Florida Atlantic University MARIA M. LARRONDO- PETRIE, Florida Atlantic University
More informationNETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9
NETASQ & PCI DSS Is NETASQ compatible with PCI DSS? We have often been asked this question. Unfortunately, even the best firewall is but an element in the process of PCI DSS certification. This document
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationIndustrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems Contents 1 An Introduction to Industrial Network Security 1 1.1 Course overview 1 1.2 The evolution of networking 1 1.3
More informationApplying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events
Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented
More informationFirewalls 1 / 43. Firewalls
What s a Firewall Why Use? Tradttional by Analogy Should We Fix the Network Protocols Instead? Firewall Advantages Schematic of a Firewall Conceptual Pieces The DMZ Positioning Why Administrative Domains?
More informationFIREWALL AND NAT Lecture 7a
FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security
More informationFirewall Design Principles
Firewall Design Principles Software Engineering 4C03 Dr. Krishnan Stephen Woodall, April 6 th, 2004 Firewall Design Principles Stephen Woodall Introduction A network security domain is a contiguous region
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationTABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY
IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...
More informationFirewalls. Network Security. Firewalls Defined. Firewalls
Network Security Firewalls Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall
More informationPacket Sniffer Detection with AntiSniff
Ryan Spangler University of Wisconsin - Whitewater Department of Computer and Network Administration May 2003 Abstract Packet sniffing is a technique of monitoring every packet that crosses the network.
More informationWhat is Firewall? A system designed to prevent unauthorized access to or from a private network.
What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls
More informationProject 2: Firewall Design (Phase I)
Project 2: Firewall Design (Phase I) CS 161 - Joseph/Tygar November 12, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationFirewalls. CIT304 University of Sunderland Harry R. Erwin, PhD
Firewalls CIT304 University of Sunderland Harry R. Erwin, PhD Resources Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O Reilly, ISBN: 1-56592-148-8 Schneier, 2000, Secrets and Lies,
More informationSE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane
SE 4C03 Winter 2005 Firewall Design Principles By: Kirk Crane Firewall Design Principles By: Kirk Crane 9810533 Introduction Every network has a security policy that will specify what traffic is allowed
More informationFrom Network Security To Content Filtering
Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals
More informationallow all such packets? While outgoing communications request information from a
FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,
More informationTesting Network Security Using OPNET
Testing Network Security Using OPNET Agustin Zaballos, Guiomar Corral, Isard Serra, Jaume Abella Enginyeria i Arquitectura La Salle, Universitat Ramon Llull, Spain Paseo Bonanova, 8, 08022 Barcelona Tlf:
More informationNetwork Security, Guidelines to Build a Security Perimeter for SMEs
Advances in Networks, Computing and Communications 6 Abstract Network Security, Guidelines to Build a Security Perimeter for SMEs S.Godon and P.S.Dowland Centre for Information Security and Network Research,
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationHigh Security Firewall: Prevent Unauthorized Access Using Firewall Technologies
International Journal of Scientific and Research Publications, Volume 6, Issue 4, April 2016 504 High Security Firewall: Prevent Unauthorized Access Using Firewall Technologies S.C. Tharaka, R.L.C. Silva,
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationFirewalls Overview and Best Practices. White Paper
Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not
More informationNetwork Security - ISA 656 Intro to Firewalls
Network Security - ISA 656 Intro to s Angelos Stavrou August 28, 2007 What s a Intro to s What s a Why Use s? Traditional s Advantages Philosophies Devices examining traffic making access control decisions
More informationChapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security
Chapter 12 Network Security Security Policy Life Cycle A method for the development of a comprehensive network security policy is known as the security policy development life cycle (SPDLC). Network Security
More informationLecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.
Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls. 1 Information systems in corporations,government agencies,and other organizations
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More information